Im working on a login script and i need it to check a field in my database table called "active" which stores a 0 or 1, 0 representing inactive account and a 1 representing an active account. When the user registers to the site it sets the active field to 0 by default. I need the login script to check when the account is active or inactive, if inactive display an error, if active let them login. Can anyone help me, the code commented starting at the line /* Check account is active or inactive */ is where im having difficulty.

my code is:

<?php

$validation = "";

/**
* Checks whether or not the given username is in the
* database, if so it checks if the given password is
* the same password in the database for that user.
* If the user doesn't exist or if the passwords don't
* match up, it returns an error code (1 or 2).
* On success it returns 0.
*/
function confirmUser($username, $password){
global $conn;
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

Personally, I'd do things a bit different. For security reasons, when dealing with logins I try to remain as ambigous as I can about why a login actually failed. After a few attempts I'd like freeze the account. If a person is having trouble logging in and can't figure out why I'd reccomend them to the Forgot My Password page where I'd issue a new password via signup email.

Secondly, I'd save a few queries and only run one query something like this:

If the count returns 1 then you know its a valid user/password combo else the login is invalid.

Finally, are you storing plain text passwords? If so, I'd recommend at the very leasting hashing them with a hash alogorithm

PRodgers4284

02-21-2008, 11:32 AM

Personally, I'd do things a bit different. For security reasons, when dealing with logins I try to remain as ambigous as I can about why a login actually failed. After a few attempts I'd like freeze the account. If a person is having trouble logging in and can't figure out why I'd reccomend them to the Forgot My Password page where I'd issue a new password via signup email.

Secondly, I'd save a few queries and only run one query something like this:

What data type is the column active? If its an int then you need to remove the quotes from the 0. You may also want to check and see if register globals is off. If not someone could just do something like this.
http://yoursite.com/login.php?result=1&username=Aero. This will now allow a user with username Aero access to wherever you don't want them to be. You really should be hashing the passwords. Here is a good article on writing secure php. http://www.ilovejackdaniels.com/php/writing-secure-php/

PRodgers4284

02-21-2008, 08:21 PM

What data type is the column active? If its an int then you need to remove the quotes from the 0. You may also want to check and see if register globals is off. If not someone could just do something like this.
http://yoursite.com/login.php?result=1&username=Aero. This will now allow a user with username Aero access to wherever you don't want them to be. You really should be hashing the passwords. Here is a good article on writing secure php. http://www.ilovejackdaniels.com/php/writing-secure-php/

Aerospace thanks for the reply, the active field type is "int", i have removed the quotes but it still doesnt check if the user is active or not. Is there anythin else i can try?

<?php
function confirmUser($username, $password)
{
$val = '';
global $conn;
// check to see if magic_quotes_gpc is 1 or 0
if (ini_get('magic_quotes_gpc'))
{
// if 0 stripslashes
$username = stripslashes($username);
}
// use mysql_real_escape_string since its what its meant for in place of addslashes
$username = mysql_real_escape_string($username,$conn);

}
else
{
// if some how the if else clause gets to here it will set $val to -1
$val = -1;
}
// finally we return val
// $val = 0 username and password are good
// $val = 2 password is wrong but again just use a stand error like Login Error
// $val = 3 account is inactive
// $val = -1 there is likely the same username twice in the database or something went wrong
return $val;
}
?>
Usage:

echo confirmUser('Aero','dog'); // will return an integer according to the check
Read the comments as they help you learn.